Disable App Armor Profile Constraint (!67) · Merge requests · Big Bang / Universe / Product / Gatekeeper

Cassie Souza requested to merge app-armor-profiles-deny into main Jul 17, 2021

Description

The original intention of the ticket was to set the default Enforcement Action to deny for the App Armor profiles constraint.

Issues Discovered

AppArmor typically applies to Linux distros derived from Debian (e.g. Ubuntu). SELinux is the equivalent technology applied to Linux distros derived from Fedora (e.g. RedHat). Currently, all of our Iron Bank containers are either distroless or RHEL UBI. So, none of them will have AppArmor.

Resolution

Unfortunately, the constraint is not useful since it does not have the ability to "ignore" non-Debian distro containers. So, we will be disabling this constraint completely in OPA Gatekeeper until we need it in the future.

Issue

This MR is to related to issue #58

Edited Jul 21, 2021 by Michael McLeroy

Admin message

Admin message

Disable App Armor Profile Constraint

Merge request reports